Hackers have found different technique to hack wordpress sites where he installs vulnerable backdoored plugins in websites powered by WordPress. This technique turns successful when sites use obsolete version of wordpress and the JetPack Plugin. In this technique a hacker chains multiple flaws thus it involves multiple steps to attack a WordPress website. This attacks come into existence on May 16 from a report released by WordPress Security Firm WordFence.
The First step of this attack involves social engineering where hacker collects usernames and passwords from public data breaches to attempt to log in the WordPress accounts of users. The Users who have reused passwords from different websites and didn’t enable the two-factor authentication for their profiles are more vulnerable to brute force attacks.
The WordPress.com accounts are used to manage professional blogs hosted by Automattic Services. a few years back, Automattic took the analytics plugin used on WordPress.com and released it as an open-source plugin for self-hosted WordPress sites. There is an analytics module named Jetpack which is one of the most popular plugins for WordPress Sites. The speciality of this plugin is that it provides the ability to connect a self-hosted WordPress Site to WordPress.com account and use the Jetpack panel inside wordpress.com. JetPack provides an ability to install various plugins across different sites by just using the wordpress.com Jetpack dashboard. The plugin doesn’t even have to be hosted or hidden on the official WordPress.org repository, and criminals can easily upload a ZIP file with the malicious code that then gets sent to each site.
Hackers are taking advantage of this remote management feature to deploy backdoored plugins across previously secured websites. Experts say that attacks started on May 16, with the hackers deploying a plugin named “pluginsamonsters,” later switching to another plugin named “wpsmilepack” on May 21.
“The plugin is visible on the WordPress.com dashboard but is invisible on the target WordPress site’s plugin list when active,” the Wordfence team said. If the bloggers find any suspicious activity they should immediately change the password for their WordPress.com website.